providers/oauth2: make exp optional on jwt client_credentials flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-04-10 17:02:25 +02:00 · 2022-04-10 17:02:25 +02:00 · f977bf61eb
parent f8f8a9bbb9
commit f977bf61eb
2 changed files with 9 additions and 6 deletions
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -60,6 +60,8 @@ def clean_temporary_users(self: MonitoredTask):
    messages = []
    deleted_users = 0
    for user in User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_GENERATED}": True}):
+        if USER_ATTRIBUTE_EXPIRES not in user.attributes:
+            continue
        delta: timedelta = _now - datetime.fromtimestamp(
            user.attributes.get(USER_ATTRIBUTE_EXPIRES)
        )
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -280,11 +280,12 @@ class TokenParams:
        if not token:
            raise TokenError("invalid_grant")

-        exp = datetime.fromtimestamp(token["exp"])
-        # Non-timezone aware check since we assume `exp` is in UTC
-        if datetime.now() >= exp:
-            LOGGER.info("JWT token expired")
-            raise TokenError("invalid_grant")
+        if "exp" in token:
+            exp = datetime.fromtimestamp(token["exp"])
+            # Non-timezone aware check since we assume `exp` is in UTC
+            if datetime.now() >= exp:
+                LOGGER.info("JWT token expired")
+                raise TokenError("invalid_grant")

        app = Application.objects.filter(provider=self.provider).first()
        if not app or not app.provider:
@ -298,7 +299,7 @@ class TokenParams:
            defaults={
                "attributes": {
                    USER_ATTRIBUTE_GENERATED: True,
-                    USER_ATTRIBUTE_EXPIRES: token["exp"],
+                    USER_ATTRIBUTE_EXPIRES: token.get("exp"),
                },
                "last_login": now(),
                "name": f"Autogenerated user from application {app.name} (client credentials JWT)",